“Pending Full Review”

  • Resolved Kyle Van Deusen

    (@skvandeusen)


    5 years ago

    I see that this plugin has been removed. I’m using this on TONS of installs. Any word as to why?

Viewing 10 replies - 1 through 10 (of 10 total)
  • nathanoleary

    (@nathanoleary)

    Maybe this:

    https://wpvulndb.com/vulnerabilities/9937

    Plugin Contributor Daryll Doyle

    (@enshrined)

    Hi @skvandeusen,

    That’s correct, there has been a bypass found for the underlying sanitiser. The WordPress team have disabled downloads until a fix has been confirmed.

    I’m currently working on a fix and am hoping to have something ready by the end of the week, although we will have to wait for the WordPress team to review the fix before its re-enabled.

    In my opinion, there’s no real reason to worry. It’s still more secure than any other SVG option out there (which offer no sanitisation) and a fix will be out shortly for the bypass found.

    Sorry for the inconvenience and I hope we can get it sorted soon.

    Cheers,
    Daryll

    Thread Starter Kyle Van Deusen

    (@skvandeusen)

    Ah— that sounds like something I don’t need to be extremely worried about as I’m uploading SVG’s that I create myself ??

    I just wish WP repo would be more detailed about why these things happen. I’m glad they are doing their best to make sure things are safe… but there’s no distinction between something small (like this) and something catastrophic.

    Plugin Contributor Daryll Doyle

    (@enshrined)

    Hi All,

    Just as an update, a fix for the issue has been found and committed to the WordPress repository.

    We now have to wait for the WordPress plugin team to review the fix and then it should be available for you to all update to.

    Thanks for your patience.

    Cheers,
    Daryll

    Ugur

    (@ugurterzi)

    Thanks for the update @enshrined

    blusilva

    (@blusilva)

    Thanks for the update. ?? Also have this on quite a few sites. Deploying a site right now and I saw it didn’t come up in the search. Glad it’s not gone for good.

    Steve

    (@puddesign)

    ah so are SVG only a problem if you don’t make them yourself? So, for instance, I make my own in illustrator does that mean they don’t need sanitising?

    Plugin Contributor Daryll Doyle

    (@enshrined)

    Hi All,

    The WordPress review has now gone through successfully and the plugin is available for download. Please make sure you all upgrade to the latest version 1.9.6 in order to be fully secure again!

    Thanks for your patience while we got this sorted ??

    Cheers,
    Daryll

    dancappdesign

    (@dancappdesign)

    N/A

    • This reply was modified 5 years ago by dancappdesign. Reason: Own mistake. Solved

    are SVG only a problem if you don’t make them yourself? So, for instance, I make my own in illustrator does that mean they don’t need sanitising?

    Correct. (unless your computer or site are pwned in some unspeakable way to attack SVGs, but if that is the case, you have bigger problems)

    For client’s who are too cheap to buy the pro version (which is excellent, by the way), I run my SVGs through svgo anyway regardless of source, because why not?

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘“Pending Full Review”’ is closed to new replies.

Tags